cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5333
Views
0
Helpful
7
Replies
Cisco Employee

SSO auth for Anyconnect using ISE SAML identity integration

Hi all,

Our current deployment: We currently authenticate our AnyConenct users using ISE local accounts via RADIUS.

My question: Is it possible to use SSO integration on the ISE for anyconnect authentication?

The deployment would ideally look like this:

AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)


There are ISE guides for network authentication using a portal however not for anyconnect.

Appreciate any help on this.

Thanks

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SSO auth for Anyconnect using ISE SAML identity integration

This is on asa and AnyConnect not ise

Please look at saml in the guide

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html

7 REPLIES 7
Cisco Employee

Re: SSO auth for Anyconnect using ISE SAML identity integration

This is on asa and AnyConnect not ise

Please look at saml in the guide

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-mobile-devices.html

Cisco Employee

Re: SSO auth for Anyconnect using ISE SAML identity integration

Thought that may be the case. Thanks

Beginner

Re: SSO auth for Anyconnect using ISE SAML identity integration

Looking to do this as well: AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO). Did you get it working and/or find documentation?


Thanks.

Highlighted
Cisco Employee

Re: SSO auth for Anyconnect using ISE SAML identity integration

Hi Tim sorry we didn't get any further with this, we just kept our current deployment with local accounts on ISE.

I am also unsure if you can use SAML auth with a non mobile, client based Anyconnect if you were to go down the ASA route that Jason mentioned..

Cisco Employee

Re: SSO auth for Anyconnect using ISE SAML identity integration

As Jason said earlier, it's not possible to do [AnyConnect -> ASA -> RADIUS -> ISE -> SAML -> Pingfederate IDP (SSO)].

Instead, it would be:

AnyConnect -> ASA -> SAML IdP

                           +----> ISE (could be authorized only).

The configuration would be similar to what discussed in VPN certificate auth using ISE?

Beginner

Re: SSO auth for Anyconnect using ISE SAML identity integration

This is possible with Azure AD. But as the colleagues mention, only AnyConnect -> ASA.

If you have multiple factor authentication activated in Azure you can leverage this for your VPN connections when using SAML.

Beginner

Re: SSO auth for Anyconnect using ISE SAML identity integration

You could do the same with ADFS. You could add MFA to the SAML workflow in ADFS then, as has been stated, your authentication would be AnyConnect > ASA > ADFS (with MFA prompting). I think that would work.

 

I'm working on similar stuff and I use ISE as well.